The chdir and chroot system calls are called twice by the rpmverifypackage probe. Consequently, an error occurs when the probe is utilized during an OpenSCAP scan with custom Open Vulnerability and Assessment Language (OVAL) content.

To work around this problem, do not use the rpmverifypackage_test OVAL test in your content or use only the content from the scap-security-guide package where rpmverifypackage_test is not used. (BZ#1603347)

OVAL (Open Vulnerability and Assessment Language) checks used in the SCAP Security Guide project are not able to read a dconf binary database, only files used to generate the database. The database is not regenerated automatically, the administrator needs to enter the dconf update command. As a consequence, changes to the database that are not reflected in files in the /etc/dconf/db/ directory cannot be a part of scanning. This might result in false negatives.

To work around this problem, run dconf update periodically, for example, using the /etc/crontab configuration file. (BZ#1631378)

The following error occurs when trying to generate results-based remediation roles from a customized profile using the the SCAP Workbench tool:

Error generating remediation role '.../remediation.sh': Exit code of 'oscap' was 1: [output truncated]

To work around this problem, use the oscap command with the --tailoring-file option. (BZ#1533108)

The OpenSCAP scanner logs inability to get SELinux context on the ERROR level even in situations where it is not a true error. As a result, OpenSCAP scanner results contain a lot of SELinux context error messages. Both the oscap command-line utility and the SCAP Workbench graphical utility outputs can be hard to read for that reason. (BZ#1640522)